A former core infrastructure engineer at an industrial company in New Jersey was arrested for attempting to extort his employer by locking Windows administrators out of 254 servers. On November 25, the company received a ransom email stating that all IT administrators had been locked out of their accounts and backups deleted, making data recovery impossible. The email demanded a ransom of €700,000 (20 Bitcoin) and threatened to shut down 40 servers daily if the payment was not made.
The investigation revealed that 57-year-old Daniel Rhyne had accessed the company’s systems without authorization between November 9 and November 25. Using his administrator account, he changed passwords for multiple accounts, impacting both server and workstation access. Rhyne also scheduled tasks to shut down random servers and workstations, indicating a planned attack on the company’s infrastructure.
Incriminating evidence was uncovered during the investigation, including web searches Rhyne conducted to gather information on deleting accounts and changing passwords using command-line tools. These searches were made using a hidden virtual machine and indicated premeditation in his extortion plot. On November 25, network administrators began receiving notifications of password changes, leading to the discovery that they had been locked out of their accounts.
Rhyne was arrested in Missouri on August 27 and released after his initial court appearance. He faces serious charges, including extortion, intentional computer damage, and wire fraud, which carry a maximum penalty of 35 years in prison and a potential $750,000 fine. The case highlights the risks posed by insider threats within organizations and the severe consequences of cyber extortion.
Reference:
